Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OS X - AD integration tentative solution?

Hi all

Having followed recent discussions on this list with regard to running MOSX clients in a managed way, whilst authenticating against an existing AD setup; I decided to have a play. I got quite far, and have a summary that i would welcome comment/suggestions on.

My setup was a W2K AD, an Xserve with 10.2.5, and a 10.2.5 client. I went the Kerberos route, to avoid AD schema mods since they aren't feasible at a lot of sites. As per Michael Bartosh's recent posts, i followed the Kerb documents in the Kbase (107153-5). However, i could not get AFP service to offer kerberised logins. I created a service principal on the AD, and generated its krb5.keytab. I set AFP to accept Kerb authentication only, and rebooted the Xserve for good measure. I can login locally on the Xserve as a kerb-authed user, but not from a client. A packet sniff showed that the server was not advertising kerb to the client, and i got error -5002 from the client. Am i mis-configured, or is this a bug?

To overcome this, i set the home directories on the Xserve to mount via NFS, which seems to work fine - does this have any negative impact?

So, i now have to import all the users from AD into Open Directory (pretty simple), create their Mac homedirs (createhomedir -a) and keep them synched (some not too painful scripting). I end up with one set of users, one point of authentication, and two sets of homedirs - not necessarily a bad thing at many of my sites, where the goal is to keep the Macs mostly separate. Users can, of course mount their W2K shares via SMB once logged in. This all seems quite positive, so before i deploy at a (willing) test site or two, are there any caveats i should be aware of?

yours looking to the gurus


matt jenns _______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.